svn commit: r366329 - stable/12/sys/netinet
Michael Tuexen
tuexen at FreeBSD.org
Thu Oct 1 16:53:17 UTC 2020
Author: tuexen
Date: Thu Oct 1 16:53:16 2020
New Revision: 366329
URL: https://svnweb.freebsd.org/changeset/base/366329
Log:
MFC r366248:
Improve the input validation and processing of cookies.
This avoids setting the association in an inconsistent
state, which could result in a use-after-free situation.
This can be triggered by a malicious peer, if the peer
can modify the cookie without the local endpoint recognizing
it.
Thanks to Ned Williamson for reporting the issue.
Modified:
stable/12/sys/netinet/sctp_input.c
stable/12/sys/netinet/sctp_pcb.c
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/sys/netinet/sctp_input.c
==============================================================================
--- stable/12/sys/netinet/sctp_input.c Thu Oct 1 16:45:11 2020 (r366328)
+++ stable/12/sys/netinet/sctp_input.c Thu Oct 1 16:53:16 2020 (r366329)
@@ -2040,10 +2040,6 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in
vrf_id, port);
return (NULL);
}
- /* get the correct sctp_nets */
- if (netp)
- *netp = sctp_findnet(stcb, init_src);
-
asoc = &stcb->asoc;
/* get scope variables out of cookie */
asoc->scope.ipv4_local_scope = cookie->ipv4_scope;
@@ -2082,10 +2078,7 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in
asoc->advanced_peer_ack_point = asoc->last_acked_seq;
/* process the INIT info (peer's info) */
- if (netp)
- retval = sctp_process_init(init_cp, stcb);
- else
- retval = 0;
+ retval = sctp_process_init(init_cp, stcb);
if (retval < 0) {
(void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
SCTP_FROM_SCTP_INPUT + SCTP_LOC_19);
@@ -2199,19 +2192,21 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in
*/
;
}
- /* since we did not send a HB make sure we don't double things */
- if ((netp) && (*netp))
- (*netp)->hb_responded = 1;
-
if (stcb->asoc.sctp_autoclose_ticks &&
sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) {
sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL);
}
(void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
- if ((netp != NULL) && (*netp != NULL)) {
+ *netp = sctp_findnet(stcb, init_src);
+ if (*netp != NULL) {
struct timeval old;
- /* calculate the RTT and set the encaps port */
+ /*
+ * Since we did not send a HB, make sure we don't double
+ * things.
+ */
+ (*netp)->hb_responded = 1;
+ /* Calculate the RTT. */
old.tv_sec = cookie->time_entered.tv_sec;
old.tv_usec = cookie->time_entered.tv_usec;
sctp_calculate_rto(stcb, asoc, *netp, &old, SCTP_RTT_FROM_NON_DATA);
Modified: stable/12/sys/netinet/sctp_pcb.c
==============================================================================
--- stable/12/sys/netinet/sctp_pcb.c Thu Oct 1 16:45:11 2020 (r366328)
+++ stable/12/sys/netinet/sctp_pcb.c Thu Oct 1 16:53:16 2020 (r366329)
@@ -4291,7 +4291,9 @@ sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockadd
if ((ntohs(sin->sin_port) == 0) ||
(sin->sin_addr.s_addr == INADDR_ANY) ||
(sin->sin_addr.s_addr == INADDR_BROADCAST) ||
- IN_MULTICAST(ntohl(sin->sin_addr.s_addr))) {
+ IN_MULTICAST(ntohl(sin->sin_addr.s_addr)) ||
+ (((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) != 0) &&
+ (SCTP_IPV6_V6ONLY(inp) != 0))) {
/* Invalid address */
SCTP_INP_RUNLOCK(inp);
SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, EINVAL);
@@ -4310,7 +4312,8 @@ sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockadd
sin6 = (struct sockaddr_in6 *)firstaddr;
if ((ntohs(sin6->sin6_port) == 0) ||
IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr) ||
- IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) {
+ IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr) ||
+ ((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) == 0)) {
/* Invalid address */
SCTP_INP_RUNLOCK(inp);
SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, EINVAL);
More information about the svn-src-all
mailing list